Basically you connect the ONT to the ATT Gateway via VLAN's, let the ONT authenticate the gateway then swap VLANs with the gateway and pfSense so that pfSense is now on the VLAN with the ONT and the gateway is not. Apparently this works just fine.

The downside is that it apparently re-authenticates every 14 weeks requiring you to swap it back into the network.
The upside of the downside is that this re-authentication apparently works like clockwork down to the second.

My thought was to try doing the VLAN switching on pfSense and use cron to automate that so I can just put it all in a closet and walk away.
Will this work?

If not I've seen some documentation about gaining root access on my switch via telnet (Zyxel GS1900) so maybe I can schedule it there?

Apparently there is a linux eap_proxy workaround as well, but nothing for FreeBSD.

That's an interesting idea but sounds utterly disastrous if something goes wrong and you're not there to fix it. I wouldn't really trust a script to go switching interfaces/VLANs that could bring down my network. Verizon FIOS has similar issues when you don't use their crappy equipment… some have suggested putting a switch in between the ONT and pfSense and then cloning the MAC address of the ISP gateway so they will basically both get to talk to the ONT ... Llink to a big thread on that setup is below. It's hacky as well but it might be an option if you really need this, and doesn't require any scheduled script.https://forum.pfsense.org/index.php?topic=114389.msg635823#msg635823